OK - what is the matter with changing that to be an ALLOW, and having the
default rules set to DENY as they should be? Alternately, ALLOW that
address and port, and _then_ DENY the port in a later rule.
[color=blue]
>what else do I need to do to make that work?[/color]

That's actually where 'http://www.iptables.org/documentation/HOWTO/'
redirects to now. The documents are a bit older than that. You can also
look at the various HOWTOs that should be part of your system - the
"Security-Quickstart-HOWTO" gives a very good set of explanations.

Old guy

10-03-2007, 12:34 AM

unix

Re: iptables

Moe Trin wrote:[color=blue]
> On Mon, 05 Feb 2007, in the Usenet newsgroup comp.security.firewalls, in article
> <trWdnRnEFKkDNFrYnZ2dnUVZ_tadnZ2d@comcast.com>, Rick Merrill wrote:
>[color=green]
>> ANyone using iptables under Linux as a whitelist filter?[/color]
>
> Lot's of people
>[color=green]
>> For example,
>>
>> iptables -A INPUT -t filter -s ! 208.201.239.36 -p tcp --dport 23 -j DROP[/color]
>
> OK - what is the matter with changing that to be an ALLOW, and having the
> default rules set to DENY as they should be? Alternately, ALLOW that
> address and port, and _then_ DENY the port in a later rule.
>[color=green]
>> what else do I need to do to make that work?[/color]
>
> [url]http://www.netfilter.org/documentation/HOWTO/[/url]
>
> [TXT] netfilter-extensions-HOWTO.txt 24-Dec-2006 16:06 79K
> [TXT] networking-concepts-HOWTO.txt 24-Dec-2006 16:06 28K
> [TXT] packet-filtering-HOWTO.txt 24-Dec-2006 16:06 52K
>
> That's actually where 'http://www.iptables.org/documentation/HOWTO/'
> redirects to now. The documents are a bit older than that. You can also
> look at the various HOWTOs that should be part of your system - the
> "Security-Quickstart-HOWTO" gives a very good set of explanations.
>
> Old guy
>[/color]